Description
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Published: 2026-01-26
Score: 7.5 High
EPSS: 1.5% Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

The vulnerability involves multiple denial‑of‑service flaws in React Server Components. By sending specially crafted HTTP requests to Server Function endpoints, an attacker can trigger server crashes, out‑of‑memory errors, or excessive CPU usage. This flaw depends on the specific code path executed and the application configuration, leading to availability loss and resource exhaustion.

Affected Systems

The affected packages are react‑server‑dom‑parcel, react‑server‑dom‑turbopack, and react‑server‑dom‑webpack, all provided by Meta (Facebook). Any application utilizing these packages as part of React Server Components is susceptible. Versions of these packages under the vulnerability are not listed in the advisory, so all installations should be reviewed.

Risk and Exploitability

The CVSS score of 7.5 marks the issue as high‑severity. The EPSS score of 1% indicates that zero‑day exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker can exploit the flaw by sending crafted HTTP requests to Server Function endpoints over the network, potentially exhausting CPU or memory resources and causing service disruption.

Generated by OpenCVE AI on April 18, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade react‑server‑dom‑parcel, react‑server‑dom‑turbopack and react‑server‑dom‑webpack to the latest released versions that contain the fix.
  • Deploy resource limits such as container CPU and memory quotas or system ulimits to mitigate over‑consumption of resources.
  • Enable monitoring of CPU, memory, and request logs, and configure alerts to detect abnormal spikes or repeated error patterns in Server Function handling.

Generated by OpenCVE AI on April 18, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-83fc-fqcc-2hmg React Server Components have multiple Denial of Service Vulnerabilities
History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
Weaknesses CWE-1284
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 13 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Facebook react
CPEs cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*
Vendors & Products Facebook react

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Facebook
Facebook react-server-dom-parcel
Facebook react-server-dom-turbopack
Facebook react-server-dom-webpack
Vendors & Products Facebook
Facebook react-server-dom-parcel
Facebook react-server-dom-turbopack
Facebook react-server-dom-webpack

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-502
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Description Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
References

Subscriptions

Facebook React React-server-dom-parcel React-server-dom-turbopack React-server-dom-webpack
cve-icon MITRE

Status: PUBLISHED

Assigner: Meta

Published:

Updated: 2026-01-26T20:26:45.709Z

Reserved: 2026-01-16T19:49:26.309Z

Link: CVE-2026-23864

cve-icon Vulnrichment

Updated: 2026-01-26T20:25:06.606Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T20:16:16.773

Modified: 2026-02-13T15:23:05.013

Link: CVE-2026-23864

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-26T19:16:38Z

Links: CVE-2026-23864 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses